Behind every stupid user is a stupider security professional

Security professionals should look in the mirror, before declaring a user, “stupid”.

Like most IT people, I love reading “stupid user” stories. As long as you don’t have to deal with them, they are generally relatable and entertaining. When I saw an article where a Reddit string asked for IT people to submit the most idiotic things “non-IT people” asked them, I had to click. I soon became very disappointed, but with the IT people.

While the supposed “idiotic” things are not necessarily security-awareness related, they very well could be, and that is even more concerning. When a user says, “The computer forgot my password,” which is one of the “idiotic” quotes, the IT person probably thinks that the user should know their own password, which they should. However, I consider that it means that the user uses the save password function, and that in theory anyone can walk over to their computer and log into critical systems as them. While perhaps the system only saves passwords for a finite amount of time, a knowledgeable IT person should be asking what the user means by the system forgetting the password, and advise the person that they should never save the password.

[ ALSO ON CSO: Do you create stupid users? ]

Basically when I read the complaints from the IT people, they appear to not understand that they are using jargon and terms that are not common to the average end user. You cannot assume that an average person knows the difference between their operating system and their web browser, and frankly the average user probably doesn’t care. I am not sure how many of these “brilliant” IT people remember when Microsoft was criticized for attempting to make Internet Explorer the interface to the Windows operating system. Safari is delivered with MacOS, and is essentially a part of it.

One of the highlighted criticisms of users was of an end user who did not install the dongle in a PC after buying a wireless mouse. In the first place, it is a leap to assume any end user knows what the term, dongle, actually means. And unless a user reads the instructions, given the ironic ease of use of most systems, as well as the prevalence of Bluetooth devices, it is natural for many users to assume that you turn it on and it just works.

There are also many complaints of users assuming that the monitor is the computer. Some users turn on the monitor, and don’t realize that they have to turn on the computer. While there could very well be a naiveté to it, there are All-in-One PCs, and there have been different hardware configurations over the years where there was a single “on” switch for the monitor and computer; usually on the keyboard. The fact the IT person doesn’t realize the potential for the discrepancy says as much about the IT person as it does about the end user.

They describe the end users as idiotic because they think the end user doesn’t have any common sense. There can however be no common sense without common knowledge. Users do not have the depth of knowledge that an IT person should in IT-related subjects. Users do not know the jargon that we use on a regular basis. It is not second nature to know how to install equipment.

What is however critical is that a competent IT person, especially one who does end user support, needs to know and understand that the end users do not have the same common knowledge that they do. Most important though, the IT people, and especially those people who are commenting on the “idiotic” nature of the comments, need to embrace that is their job to understand the end users, who have a greatly varying experiences with computers. Frankly, if they cannot accept that it is their job to make the most difficult technology understandable to just about any user, they should not be in a support role.

[ MORE STUPIDITY: The things end users do that drive security teams crazy ]

If an IT person went to a medical doctor, who used jargon instead of common words and terms to explain illnesses, they would understand what many end users go through. There is a reason why the term, heart attack, is used instead of ventricular arterial blockage, or whatever it would be called. Giving details of the condition has some value to medical professionals, however it means nothing to a patient, who needs to understand the seriousness of their condition.

I want to say that this does not forgive end users who lie about the circumstances or about what they have done. A user who doesn’t tell an IT person that they were attempting to download pornography when something went wrong is impeding the ability of the IT people to diagnose and correct the problem. Likewise, if they claim to have rebooted the system, and they haven’t, this creates a waste of time for all parties.

Security awareness is very much the same way. Awareness practitioners need to accept that not all users have the same knowledge that they do. They have to expect that there are end users with no knowledge of the underlying concerns. They cannot assume that everyone will know how to install the latest service pack, nor can they even assume that an end user will know what a service pack is.

There were a slew of stories coming out of a survey performed at the RSA Conference by Bromium, highlighting the one result that security professionals are most frustrated by “stupid users”, the term most commonly used.

To a large extent, security awareness is about giving users common knowledge, so they can exercise common sense. When a user makes a security-related mistake, it is frequently because security professionals assumed that the users know things they do not. While there are exceptions, if there is a failing, the security team did not provide proper training, if they provided training at all.

For example, when I was called in to investigate a successful phishing attack, I asked users why they didn’t check the link in the email message to verify it was legitimate, as it was clearly not. They responded that they used their mobile device to view the email, and nobody told them how to verify links on an iPhone. That was a clear failing of the awareness program.

For security professionals, we tend to know things because we have been exposed to proper security behaviors throughout our careers. However, users do not have the same life experience, and without proper awareness programs, assuming users know better means that you personally do not.

So, if you are like Bromium’s survey participants and believe that users are your biggest headache, take some aspirin and look in the mirror.

Ira Winkler, CISSP is president of Secure Mentem and can be contacted at

Join the CSO newsletter!

Error: Please check your email address.

More about CSOMicrosoftRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place